The Future of Information Security

One of the most challenging aspects of security is that it exists in a dimension of time. Security is not the same as it was yesterday, and we can reasonably assume that tomorrow will also be somewhat different. An organization that is extremely safe today can be vulnerable tomorrow, which makes keeping up with security a challenging, yet essential task. Though it is difficult to predict the future, it is possible for us to take a look at modern trends in information security and draw some conclusions as to what tomorrow may hold.

Stopping the Problem at its Source

I previously discussed that the majority of security concerns within the average organization come from vulnerabilities that exist within operating systems, applications, and services. Historically, applications have been written with very poor security, leaving systems vulnerable to attack. This problem has been primarily one of focus. To be competitive, a software development company must focus on what the market wants, which to date has primarily been functionality. The numerous security problems in commercial products such as Microsoft Windows have probably had only a minor impact on the sales of their packages. New products that are extremely secure are put to market all the time, yet we continue to purchase the vulnerable ones. This shows that the world, thus far, has found security issues to be acceptable when compared to products with enhanced features. Products that are less functional and more secure are less attractive than products that are extremely functional and vulnerable. This attitude, however, is changing.

Microsoft, for example, notorious for generating buggy code and giant security holes, has begun to take strides by training its staff on producing secure code. Microsoft teams have been working to enhance the security of their products in an attempt to curb the massive tide of vulnerabilities we have seen in recent times. Is this a noble effort? Certainly not. Such companies are simply responding to marketplace demands, and the recent demand happens to focus more on information security. If enhancing the security of a product will result in more sales, then, and only then, will the average software development company make it a top priority.

Lucky for us, the market has begun to focus more and more on security over the past few years, especially since the major exploits in 2000 and 2001 that spurred software development companies into action with their own security efforts. This is a very hopeful sign for those of us in the security industry, and one would hope that it leads to far less vulnerabilities in the future.

Raising the Consciousness

Another great stride in the evolution of information security has been an increased sense of security awareness among the general population. As we have seen, humans have long been big contributors to the vulnerabilities found in most organizations. In recent times, however, people have begun to think, to some degree, about security, and are becoming more aware of their actions. While humans will continue to be a source of security problems for many years to come, we are seeing many good signs that more people are becoming security-focused.

A few years back, security was rarely thought of outside of medium and large companies. Recently, however, it has become evident that security affects everyone, not just banks and corporate giants. With this in mind, the general public has begun to think in terms of security and to protect themselves and their information. Before Jane attaches to the Internet, for example, she activates her personal desktop firewall. A few years ago, Jane would not have even known what a firewall was! This marks a great stride forward in security. After all, the ultimate evolution of security will come not through technology, but through awareness.

Technical Developments

The future of security technology is, in my opinion, going to have less of an effect on the average organization than the two topics we just covered. This being said, however, security technologies are continuing to grow stronger, more scalable, and easier to use. A primary focus with new security technologies is to enable the use of security while minimizing the impacts on the environment. Security technology companies understand that, for a security product to be successful, it must be virtually invisible to the end-users. This has led to the development of many technical enhancements that make security somewhat transparent in an organization.

There will, of course, always be stronger encryption algorithms, better enterprise management systems, and a ton of cool toys and gadgets that will compete for space in the security marketplace. Such tools will help to make security much easier and more efficient, allowing us to focus more of our attention on the human security factors. These advancements, however, will have minor impacts compared to the evolution of technical solutions that make security transparent to the end-user.

The Evolution of the Security Mind

To date, security has been a goal unachieved by many organizations. For some, information security appears to be a large, untamable beast that they simply hope will not bite them. As we have seen, though, security is not a monster, but rather a series of interrelated core concepts surrounded by an infinite number of possibilities. By taking our eyes off the infinite possibilities and focusing on the core concepts presented in this book, security becomes a much easier matter to comprehend and deal with. Placing proper focus on daily practices allows organizations to break away from the traditional security nightmares and makes security a natural extension of everyday actions.

When an organization makes decisions using a developed security mind, it separates itself from the struggles and costs commonly associated with information security. In this infinitely dynamic world of IT, practicing such higher principles of security is the only chance we have to defend ourselves against enemies. If organizations continue to embrace new security technologies without developing a higher understanding of security, the enemies will simply be required to develop new and more clever technologies with which to attack us. However, when organizations begin to develop a security mind, they will begin to transcend such common "thrust and parry tactics," and through these efforts, emerge from the war victorious.